DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools

A top Department of Homeland Security official has admitted to Congress that imported software and hardware components are being purposely spiked with security-compromising attack tools by unknown foreign parties.

A top Department of Homeland Security (DHS) official has admitted on the record that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties. In testimony before the House Oversight and Government Reform Committee, acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT) that both Homeland Security and the White House have been aware of the threat for quite some time.

When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that "I am aware of instances where that has happened," after some hesitation.

This supply chain security issue essentially means that, somewhere along the line, technology being marketed in the United States was either compromised or purposely designed to enable cyberattacks.

Schaffer, who has an extensive background in cybersecurity and communications infrastructure management, did not elaborate on the compromised tech that DHS has encountered. However, he did emphasize that foreign components are found in many American-manufactured devices.

As a matter of sheer speculation, it is not hard to imagine computers, portable devices, and components marketed in the United States being purposely infected with malware, spyware, or other forms of security-compromising software by request of either foreign companies or foreign governments. More worryingly, the hearing specifically mentioned hardware components as possibly being compromised—which raises the questions of whether, perhaps, something as innocuous as Flash memory or embedded RFID chips could be used by interested foreign parties.

During questioning, Schaffer said that a whole-of-government effort would be required to combat security holes caused by malware and spyware making their way through America's electronics supply chain.

Rep. Darrell Issa (R-CA) also specifically asked witnesses about the risk of electronics being sold stateside being purposely designed for cyberattacks. In his words, "software infrastructure, hardware, [and] other things are built overseas that come to the United States with items that are embedded already in them by the time they get here to the United States."

The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions.

A broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services. The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries
to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.

[Emphasis added]

The Cyberspace Policy Review was written several months ago. Apparently, Homeland Security has found documented examples in the meantime.

Judging from the White House's statement, most of these strategic security compromises have been found in counterfeit and gray-market electronic products.

Schaffer was testifying before committee to discuss a White House policy proposal that offer incentives for private companies to share information with the federal government. The proposal also calls for modifying the Federal Information Security Management Act. Other witnesses included Associate Deputy Attorney General James A. Baker, DoD Deputy Assistant Secretary of Defense for Cyber Policy Robert J. Butler, and Senior Internet Policy Advisor to the National Institute of Standards and Technology Ari Schwartz.

A good idea, but not what this article is about. What they are describing is malicious software in what you would call firmware or embedded software. The FAT partition on your flash drive doesn't have a virus, but it's memory controller does, for example. Or the OS on your stand alone NAS...

Format your USB memory sticks, my friends...Malware infection from right-out-of-the-shrink-wrap hardware has cropped up again and again, but I'm incredulous about the threat warranting congressional involvement. Modern operating systems should be inoculated from the types of threats surreptitiously placed on rogue hardware as a matter of course, regardless if the source is BestBuy or your best friend.

Where is the supporting reference to back up the story? You site Greg Schaffer. You site the Cyberspace Policy Review. But there is no supporting evidence gains out side of "the government says."

If this is really a big problem, then there would be reports in the commercial world with evidence. The cybersecurity industry has a huge "rush to blog" problem to point out big issues. Yet, there is no references from anti-virus vendors or others in the industry.

IMHO - is this a problem? Yes. A good research on the net will find stories of manufactures who have a supply chain mishap where a virus got into the master copies. ( see example Another Infected Digital Photo Frame ) But many of these lead to disciple problems in the manufacturing process, not some evil genius infecting refrigerators and cars. Could someone plot to make this happen? If there is money to be gained, the cyber-criminal community would have the economic incentive to use supply chain violation to make money .... if there is a decent profit margin and low chance of getting caught.